summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ssh-keygen.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index a5d09c2a1..e90b85ffa 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.373 2019/11/25 00:57:27 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1735,10 +1735,12 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
1735 int r, i, fd, found, agent_fd = -1; 1735 int r, i, fd, found, agent_fd = -1;
1736 u_int n; 1736 u_int n;
1737 struct sshkey *ca, *public; 1737 struct sshkey *ca, *public;
1738 char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; 1738 char valid[64], *otmp, *tmp, *cp, *out, *comment;
1739 char *ca_fp = NULL, **plist = NULL;
1739 FILE *f; 1740 FILE *f;
1740 struct ssh_identitylist *agent_ids; 1741 struct ssh_identitylist *agent_ids;
1741 size_t j; 1742 size_t j;
1743 struct notifier_ctx *notifier = NULL;
1742 1744
1743#ifdef ENABLE_PKCS11 1745#ifdef ENABLE_PKCS11
1744 pkcs11_init(1); 1746 pkcs11_init(1);
@@ -1784,6 +1786,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
1784 fatal("CA key type %s doesn't match specified %s", 1786 fatal("CA key type %s doesn't match specified %s",
1785 sshkey_ssh_name(ca), key_type_name); 1787 sshkey_ssh_name(ca), key_type_name);
1786 } 1788 }
1789 ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT);
1787 1790
1788 for (i = 0; i < argc; i++) { 1791 for (i = 0; i < argc; i++) {
1789 /* Split list of principals */ 1792 /* Split list of principals */
@@ -1834,8 +1837,16 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
1834 fatal("Couldn't certify key %s via agent: %s", 1837 fatal("Couldn't certify key %s via agent: %s",
1835 tmp, ssh_err(r)); 1838 tmp, ssh_err(r));
1836 } else { 1839 } else {
1837 if ((r = sshkey_certify(public, ca, key_type_name, 1840 if (sshkey_is_sk(ca) &&
1838 sk_provider)) != 0) 1841 (ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
1842 notifier = notify_start(0,
1843 "Confirm user presence for key %s %s",
1844 sshkey_type(ca), ca_fp);
1845 }
1846 r = sshkey_certify(public, ca, key_type_name,
1847 sk_provider);
1848 notify_complete(notifier);
1849 if (r != 0)
1839 fatal("Couldn't certify key %s: %s", 1850 fatal("Couldn't certify key %s: %s",
1840 tmp, ssh_err(r)); 1851 tmp, ssh_err(r));
1841 } 1852 }
@@ -1873,6 +1884,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
1873 if (cert_serial_autoinc) 1884 if (cert_serial_autoinc)
1874 cert_serial++; 1885 cert_serial++;
1875 } 1886 }
1887 free(ca_fp);
1876#ifdef ENABLE_PKCS11 1888#ifdef ENABLE_PKCS11
1877 pkcs11_terminate(); 1889 pkcs11_terminate();
1878#endif 1890#endif
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 11:41:47 +0000